Back to skill
Skillv1.0.0
ClawScan security
Edge Router · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 12, 2026, 6:25 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (routing compute to different backends) is plausible, but the instructions tell the agent to POST arbitrary task payloads to an external API (edge-router.gpupulse.dev) without any authentication, provenance, or source information — this could leak sensitive data and is not well-justified by the metadata.
- Guidance
- This skill asks your agent to send task payloads to an external API (edge-router.gpupulse.dev) even though the skill metadata provides no source, homepage, or authentication details. Before installing: (1) do not send sensitive prompts/data through it; (2) ask the publisher for source code, a privacy/security policy, and API docs showing authentication and billing flow; (3) prefer a self-hosted or auditable router if you must route confidential workloads; (4) if you try it, run it in an isolated environment and monitor outbound network calls; (5) if you cannot verify the operator or code, treat this skill as a potential data-exfiltration risk.
Review Dimensions
- Purpose & Capability
- noteName and description match the SKILL.md: it routes tasks among local, cloud GPU, and quantum backends. However, the SKILL.md references specific providers (Ollama, Vast.ai, Wukong 72Q) but does not explain authentication, how it integrates with those providers, or why no credentials are required. It's plausible the router is a third-party aggregator, but the metadata gives no provenance or rationale for the lack of required credentials.
- Instruction Scope
- concernThe runtime instructions tell the agent to POST task payloads (including model/prompt) to an external API endpoint (https://edge-router.gpupulse.dev/api/v1 or localhost:3825). That means arbitrary task data — potentially sensitive prompts, files, or inference inputs — would be transmitted off-agent to an unverified third party. There are no instructions about consent, redaction, or any limits on what may be sent. The agent is given direct network I/O instructions to a domain of unknown trustworthiness, which is scope creep relative to a simple local router helper.
- Install Mechanism
- okNo install spec and no code files (instruction-only). That minimizes on-disk risk. However, the lack of installer also means all action is via network calls to an external service defined in SKILL.md, which retains a high runtime trust requirement even though install risk is low.
- Credentials
- concernThe skill declares no required environment variables or credentials. For a service that claims to route work to paid cloud/quantum backends, absence of any auth requirement is surprising. Either the aggregator handles billing (in which case you must trust it with all payloads and possibly account/billing info) or required credentials are missing from the spec. The lack of declared credentials increases the risk of unintended data exfiltration to an unauthenticated third party.
- Persistence & Privilege
- okThe skill is not marked 'always' and uses normal autonomous invocation defaults. It does not request to persist or modify other skills or system settings in the manifest. No privilege escalation signals in the provided metadata.